kube-bench/cfg/rh-1.0/controlplane.yaml

---
controls:
version: rh-1.0
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
  - id: 3.1
    text: "Authentication and Authorization"
    checks:
      - id: 3.1.1
        text: "Client certificate authentication should not be used for users (Manual)"
        audit: |
          # To verify user authentication is enabled
          oc describe authentication
          # To verify that an identity provider is configured
          oc get identity
          # To verify that a custom cluster-admin user exists
          oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User
          # To verity that kbueadmin is removed, no results should be returned
          oc get secrets kubeadmin -n kube-system          
        type: manual
        remediation: |
          Configure an identity provider for the OpenShift cluster.
          Understanding identity provider configuration | Authentication | OpenShift
          Container Platform 4.5. Once an identity provider has been defined,
          you can use RBAC to define and apply permissions.
          After you define an identity provider and create a new cluster-admin user,
          remove the kubeadmin user to improve cluster security.          
        scored: false

  - id: 3.2
    text: "Logging"
    checks:
      - id: 3.2.1
        text: "Ensure that a minimal audit policy is created (Manual)"
        audit: |
          #To view kube apiserver log files
          oc adm node-logs --role=master --path=kube-apiserver/
          #To view openshift apiserver log files
          oc adm node-logs --role=master --path=openshift-apiserver/
          #To verify kube apiserver audit config
          oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
          #To verify openshift apiserver audit config
          oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'          
        type: manual
        remediation: |
          No remediation required.          
        scored: false

      - id: 3.2.2
        text: "Ensure that the audit policy covers key security concerns (Manual)"
        audit: |
          #To verify openshift apiserver audit config
          oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
          #To verify kube apiserver audit config
          oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'          
        type: manual
        remediation: |
          In OpenShift 4.6 and higher, if appropriate for your needs,
          modify the audit policy.          
        scored: false